Update HIPAA Policies for New Reproductive Health Care Rights

1.5 minute read

Starting December 23, 2024, all covered entities and their business associates will need to adhere to stricter HIPAA privacy protections specifically for reproductive health care. These new regulations strictly forbid the use or disclosure of protected health information (PHI) related to lawful reproductive health care for:

• Any criminal, civil, or administrative investigation or proceeding against an individual in connection with reproductive health care; or
• Identifying any individual, health care provider, or other person for purposes related to such investigations or proceedings.

Regulated entities must secure a valid attestation to ensure permissible use or disclosure of PHI related to reproductive health care.

Affected Health Plans

The new privacy protections affect employers with self-insured health plans and those with fully insured plans that access PHI (excluding enrollment, summary health information, and HIPAA-authorized data). They do not affect employers with fully insured plans that lack access to PHI beyond these exceptions.

Action Steps

Employers with self-insured or fully insured health plans should update their HIPAA policies and train staff on new PHI restrictions related to reproductive health care. While new privacy protections don't mandate changes to business associate agreements, reviewing and updating them is advisable.

The U.S. Department of Health and Human Services has provided a model attestation form for employer-sponsored health plans to ensure PHI use or disclosure complies with new privacy protections. Health plans must update their HIPAA privacy notices by February 16, 2026. Download the bulletin for more details.